Attention when choosing an Encryption solution - Weakness in Password manager of Firefox and Thunderbird

An "IT security researcher" recently engaged attention on a seemingly older, known weakness in Mozilla's password managers of Firefox and Thunderbird. Core problem is the way of dealing with the master password (keyword: secure password hashing). We recommend for years to pay close attention - when choosing an encryption software - which password hashing procedure is used. Otherwise, you eventually have no real data encryption at all. We try to provide some clear background information.

Password-based Encryption: Background knowledge

For a better understanding it has to be explained that password-based encryption technologies – e.g., like the pre-mentioned integrated password managers, but also disk or file encryption – use a so called master password as a basis. Sometimes it is also called passphrase. This has to be "hashed" securely so that the actual encryption works securely. For the interested reader, we already cover technical details and backgrounds in our article
"Secure Password Hashing".

Briefly explained for the layperson: Encryption works on the basis of so called encryption keys – or short 'keys'. Common encryption methods or algorithms that you might have heard of are for instance RSA or AES-256. These are used in SSL/TLS on a daily basis by yourself whenever you call a website using HTTPS. Technically, a key is nothing else but a unique data array which allows only its owner (user) the encryption and decryption of data.

However, a master password is no key (yet). To encrypt data (e.g., a password collection within a password manager), a suitable key has to be "created" from the master password. This "generation" has to be secure for obvious reasons. Because: If the key generation is not secure, the whole encryption is broke. All following procedures could be the best possible, but if the starting point – the key generation – is insecure, all these procedures are void. So, at the end you have effectively no encryption at all.

For the "generating" process so called mathematical/cryptographic hash functions are used. In case of the problem concerning the master password handling of the integrated password managers in Firefox and Thunderbird, this does not happen adequately secure (old hashing procedures, too few hash iterations).
Here you find the
original article.

Look very carefully when selecting an Encryption Software

For years we explicitly recommend to look carefully at password hashing methods when selecting an encryption software using password-based encryption. If you find no or just limited information on this, you should better not count on the corresponding solution! In the worst case you actively decided to use encryption for your own data, but the chosen encryption method has no effect.

To make it worse for the average user, there are indeed security standards to look for, but these have degrees of freedom for the actual implementation - meaning how a developer programs a software. This applies especially to the "strength" of the translation of a master password to a crypto key. Take the well-known ZIP format as an example. It contains a secure AES encryption option. However, the corresponding standard included, also because of its age, a default hash iteration of 1000. This is also today still used by many ZIP tools. The standard would allow for higher, variable values! Hence, in this case it is - unfortunately - not enough to count on statements like "follows an approved standard". (Please not that these degrees of freedom have a meaningful background! - Since the hashing iterations have an influence on hacking attempts using computers with more processor power.)

Moreover, one should exactly think about the own, basic goal of the chosen encryption. There are many totally different ways to encrypt data: Hard drive encryption / whole or full disk encryption, file encryption, archive encryption, cloud encryption, e-mail encryption, database encryption etc. Every kind has its right to exist and its application. The latter are of course not identical. Consulting on how to choose the proper solution is, unfortunately, far beyond the scope of this article.

Rule of Thumb & Examples for Choosing an Encryption solution

Since we offer our own encryption solutions, it has to be said that we strictly use secure password hashing procedures in all our password-based encryption solutions. In
CrococryptFile
(open source file encryption) for instance, we use a default iteration count for the master password of 100000 using a secure and approved hashing algorithm. This counter is individually adjustable and variable (e.g., for PCs with more computing power). Our software for encrypted file backups,
CrococryptMirror,
also uses a default of 100,000 iterations. This values is program-internally variable as well.

For the average user, it might help a little bit to look for the following, common techniques as rough guidelines:

Encryption using at least AES-128, Twofish-128, ...

Password hashing using at least SHA-256, Whirlpool, ...

Iterating the password hashing following, for instance, PBKDF2 standard using about 100,000 iterations

Encryption is a complex topic and these statements are as said before only a rough orientation. There are many more secure techniques which we cannot provide in a complete list.

As (golden) Rule of Thumb one can say: If a chosen password-based encryption solution gives no information on used hash procedures and the number of hash iterations, you better look for an alternative which does.

About: HissenIT - Tailormade Software Development and IT Consulting

HissenIT, is a small business company from Germany focusing on IT software development, programming and consulting. Founder and computer scientist Frank Hissen has over 19 years of experience in various positions in IT projects - today offering special services from experience in IT security, web application security and encryption solutions.